Can you put this into the melting pot of your data sharing considerations. 


(1) | don’t like the use of “Legal power to share” as it is ambiguous. There is a need to 
distinguish between where there is a requirement/obligation to share (no choice but to 
share) and those circumstances when you have the ability to share (i.e. there is a 
volunteering to share and the sharing can be refused). The former has a legal basis of 
A.6(1)(c); the other is A.6(1)(e). This is important as you have the right to object to the 
sharing with A.6(1)(e) which could be important protection for data subjects whose personal 
data have been shared. This is especially the case with Digital Economy sharing “legal 
powers” which | understand to be an ability to share if you want to. (e.g. the DEA uses 
something like “...a specified person may disclose information....” which is not an obligation 
to share). The DEA Codes are ambiguous also — if there is a legal power to share, are you 
obliged to share? 


(2 


— 


Can you stress that if there is a clash of guidance, the ICO data sharing code takes precedent 
over any Code of P produced by any SoS. 


(3) | cannot see how your Code is relevant if there is an obligation to share; have you said this? 


(4) Can you add to the data sharing agreement somewhere .... 
”What are the assumptions underpinning the data sharing or what are the Key Performance 
Indicators that demonstrate that sharing will be a success” 


“If the KPIs or assumptions are proven to be wrong, the data sharing arrangement should be 
reviewed to see whether it remains beneficial” 


“Can you pilot the data sharing arrangements to evidence the assumptions or KPIs or 
benefits to data subjects are correct” 


“If the processing has a lawful basis for the sharing is A.6(1)(e) or A.6(1)(f), what are the 
criteria when the right to object will prevail”. 


“If a data sharing partner is subject to the right to restrict, correct or erase with respect to 
personal data that have been shared, what action will other data sharing partners take with 
respect of the A.19 right to notify” 


“If data sharing is for a different purpose, has there been an assessment of compatibility of 
the disclosure purpose with the purpose of collection as required by A.6(4)”. 


Best wishes 


